<div align="Center"> 
<p><b>Lesson Plan Title:</b> How to Spoof an Authentication Cookie </p>
 </div>
 
<p><b>Concept / Topic To Teach:</b> </p>

Many applications will automatically log a user into their site if the right authentication cookie is specified. &nbsp; Some times the cookie values can be guessed if the algorithm for generating the cookie can be obtained. &nbsp;Some times the cookies are left on the client machine and can be stolen by exploiting another system vulnerability. &nbsp;Some times the cookies maybe intercepted using Cross site scripting. &nbsp;This lesson tries to make the student aware of authentication cookies and presents the student with a way to defeat the cookie authentication method in this lesson.<br>
<p><b>General Goal(s):</b> </p>
<!-- Start Instructions -->
 The user should be able to bypass the authentication check.
Login using the webgoat/webgoat account to see what happens. You may also try aspect/aspect. When you understand the authentication cookie, try changing your identity to alice.
<!-- Stop Instructions -->